[rhn-users] Off-line update

Thu Mar 4 18:07:58 UTC 2004

Hi,

Further to my previous comments... The way I do it is to build the
machine on my LAN, which is behind a NAT gateway as well as a typical
firewall. By configuring the NAT gateway and firewall to restrict
traffic to RHN (by IP address) and updating packages before moving the
server to an Internet-facing position.

The point is that being behind NAT, the machine is inaccessible anyway.
It actually can't be directly addressed. So, the only traffic with it is
the outbound-initiated HTTPS traffic with RHN, and that's tied to the IP
Address for what it's worth, too. I feel that this combination is pretty
safe. I can double-check md5sum values on CD's and package sigs if I
want to be doubly careful, but I don't bother.

My feeling is that spoofing the IP successfully, intercepting the HTTPS
channel, trojaning the right packages on the fly, with the need to
subvert the HTTPS encryption and authentication, at just the right time,
is all really quite hard to accomplish, no? So, I would suggest
proposing this scenario to your security people.

I think it would be nice for the list if you could summarise what your
security team feels about this kind of approach -- if I've overlooked
something that they can identify, then that'd be valuable for me and
others, I'm sure.

Cheers!
James.

----------Original Message----------
From: Bob Gorman <bob at rsi.com>
To: rhn-users at redhat.com
Subject: Re: [rhn-users] Off-line update
Date: Thu, 04 Mar 2004 12:05:31 -0500

At 04:02 PM 3/3/2004, Hill Webmaster wrote:
> I am in the process of purchasing several licenses for RHEL 3. My
> network security folks require that all security patches be applied
> before connecting the machine to the network. Are all the updated rpms
> available for download in the RHN? If so, does anyone know the proper
> method to upgrade all the updated rpms? Can that be done with a single
> wildcarded rpm freshen or upgrade command or something similar once
> all the new rpm packages are in a directory somewhere? Is it necessary
> or does rpm automatically restart appropriate services after upgrading
> a program, service or library?

You can not download all available RPMs for a channel - period.  Even
paying subscribers. Amazing isn't it!?

It is just about impossible to make a fully patched system in an
off-line environment. To do so you must have a different system that is
already on-line, registered in the RHN, and subscribed to the proper
channel.

If you don't have that, then you must do it with the new system that you
are building. I know, it's horrible and potentially opens the new system
to security breaches, but it is what RedHat is forcing you to do: use
their inadequate up2date program.

If you do have another system to work from you can try this approach:
Start with the Update1 ISOs. Then identify which RPMS need to be
updated. Manually download the RPMs from the RHN web site, or try to get
them via up2date from the existing system.  It's a cumbersome manual
process.

Hope that helps!